Skip to content

[BUG] Capability returned by JALR.PCC #44

New issue
New issue
Open
Open
[BUG] Capability returned by JALR.PCC#44
@Andreas-Bur

Description

@Andreas-Bur
Andreas-Bur
opened on Jul 29, 2025

Is there an existing CVA6 bug for this?

  • I have searched the existing bug issues

Bug Description

According to the CHERI specification JALR.PCC writes the offset of the next instruction into the integer register rd, irrespective if we are in cap mode or int mode. It appears there is a bug where CVA6 writes the whole PCC into the register instead of just the offset if we are in cap mode. It also sets the tag as valid.

PoC:

  # Setup cap mode
  cspecialrw c1, 31, c0
  addi x2, x0, 1
  csetflags c1, c1, x2
  auipc x2, 0
  addi x2, x2, 16
  csetaddr c3, c1, x2
  jalr.cap c0, c3

  # Trigger bug
  auipcc c4, 0
  addi x4, x4, 12
  jalr.pcc x5, x4

Expected value of c5: 0x00000000000100040000000080000028
Actual value of c5: 0xffff2000080100040000000080000028

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions